|
09-12-2017, 10:08 PM
|
#1
|
Full time employment: Posting here.
Join Date: Mar 2008
Posts: 968
|
YubiKey and LastPass
Given the most recent hack with Equifax, I have decided to take the extra step of securing Vanguard funds. I already use the 2 factor text the code thing, but want to step it up.
So my question is this for those that use YubiKey: I use LastPass. Should I setup Vanguard SEPARATELY with the YubiKey or is it just as secure if I login with lastpass YubiKey with Vanguard?
Any other advice in general with the Yubi would be appreciated. I ordered mine on Amazon and it should be here soon!
|
|
|
|
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!
Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!
You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!
|
09-12-2017, 10:56 PM
|
#2
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jul 2014
Location: Spending the Kids Inheritance and living in Chicago
Posts: 17,094
|
I don't know what this yubiKey is, but you can set your vanguard account to require a different pin number every time.
They will text it to your cell phone, each time you log in. (or you can have it when a different computer logs in).
Then you enter the pin to finish the login process.
|
|
|
09-13-2017, 06:01 AM
|
#3
|
Thinks s/he gets paid by the post
Join Date: Jul 2011
Posts: 1,289
|
I know enough to be dangerous. Given a choice of 2 factor with a code sent from Vangaurd or provided by Yubikey, I would go with Yubikey. It is more sophisticated and should provide more protection. I also like that it is under my control and I do not rely on the site provider to send a code.
|
|
|
09-13-2017, 08:58 AM
|
#4
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,263
|
Two factor codes sent to a phone are inherently unsafe because text messaging is inherently insecure.
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
09-13-2017, 10:02 AM
|
#5
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2004
Location: Laurel, MD
Posts: 8,327
|
Quote:
Originally Posted by Chuckanut
Two factor codes sent to a phone are inherently unsafe because text messaging is inherently insecure.
|
Could you please explain this? I know SMS is not secure for a permanent password but what is danger of texting a one time use PIN that expires after a set time?
__________________
...with no reasonable expectation for ER, I'm just here auditing the AP class.Retired 8/1/15.
|
|
|
09-13-2017, 01:57 PM
|
#6
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,263
|
Quote:
Originally Posted by jazz4cash
Could you please explain this? I know SMS is not secure for a permanent password but what is danger of texting a one time use PIN that expires after a set time?
|
Cell phone companies make it to easy for bad guys to call them up and say "Hi, this is jazz4cash. I dropped my phone off a 1200 foot cliff while vacationing in Wyoming. I would like to order a new phone with a new sim card and please port my current phone number to it."
The Equifax fiasco has made it easy for them to know a lot about you and answer the questions they use to make certain you are you.
Then they get control of your id's and and lock you out.
Certainly 2FA with a text message is still safer than no 2FA. But, having a time-based random number generator (either software or a device) is safer yet.
https://www.forbes.com/sites/laurash.../#25cd9128360f
2 Investigators: Fraudsters Can Steal Your Phone Number — And More — Through ‘Porting’ « CBS Chicago
https://www.fastcompany.com/40432975...g-linked-to-it
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
09-13-2017, 02:04 PM
|
#7
|
Recycles dryer sheets
Join Date: May 2012
Posts: 90
|
Here is a good article explaining why sms is not safe.
https://www.forbes.com/forbes/welcom...ww.google.com/
Yubikey or some sort of authentication software like google authenticator or VIP Access are good choices. Schwab and Fidelity offer such since is much harder for hackers to have your passwords for your account and phone and more importantly the actual device to retrieve the codes.
|
|
|
09-13-2017, 02:32 PM
|
#8
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Sep 2012
Posts: 11,702
|
Quote:
Originally Posted by Chuckanut
Certainly 2FA with a text message is still safer than no 2FA. But, having a time-based random number generator (either software or a device) is safer yet.
|
And everybody wants their own device.
I got one for E*Trade. I've resisted getting one for other accounts because they are easy to lose.
Sometimes I think we have no hope against the bad guys.
|
|
|
09-13-2017, 03:05 PM
|
#9
|
Full time employment: Posting here.
Join Date: Apr 2010
Posts: 717
|
Consider "Computer access restrictions" option, seems very effective.
__________________
“The problem with the world is that the intelligent people are full of doubt, while the stupid people are full of confidence.”
(—Charles Bukowski)
|
|
|
09-13-2017, 04:41 PM
|
#10
|
Thinks s/he gets paid by the post
Join Date: Jul 2012
Location: Texas
Posts: 3,024
|
I've thought about getting a YubiKey as added protection for my password manager, which is PasswordSafe. I have PasswordSafe installed on my desktop, laptop, and cell phone. I recently lost a phone that had the app on it. Even though I have a very strong master password, I spent an hour or two changing all my passwords. I like the idea of a YubiKey as a second level of physical security for that and possibly other applications as well. Just haven't done it yet.
Fidelity uses VIP Access, which is far more secure than texting or emailing pins, essentially equivalent to hardware-based 2FA. In addition to knowing my Fidelity ID and password, a thief would need to be in possession of my smartphone and my right index finger. In addition, I recently signed up for Fidelity MyVoice, which is their new voice recognition technology. So in theory, a thief who calls Fidelity pretending to me will not get access to anything, even if they have all the correct credentials and security Q&A.
I like owning Vanguard ETFs at Fidelity.
__________________
Retired at 52 in July 2013. On to better things...
AA: 85/15 WR: 2.7% SI: 2 pensions, SS later
|
|
|
09-14-2017, 08:33 AM
|
#11
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,263
|
Quote:
Originally Posted by JoeWras
And everybody wants their own device.
I got one for E*Trade. I've resisted getting one for other accounts because they are easy to lose.
Sometimes I think we have no hope against the bad guys.
|
So E*Trade requires you to have a custom device made just for their service?
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
09-14-2017, 08:34 AM
|
#12
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,263
|
This might help if one is seeking info on who uses 2FA?
Quote:
List of websites and whether or not they support 2FA.
|
https://twofactorauth.org/
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
09-14-2017, 08:40 AM
|
#13
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Sep 2012
Posts: 11,702
|
Quote:
Originally Posted by Chuckanut
So E*Trade requires you to have a custom device made just for their service?
|
They used to, if you chose 2 factor.
Apparently they now have an application. I guess that means an app for every service.
The device (a little dongle on your keyring) is probably the ultimate in 2 factor. The thief would need to physically compromise you and the device. The device creates a code unique to each person, so using another one won't work.
|
|
|
09-14-2017, 10:01 AM
|
#14
|
Thinks s/he gets paid by the post
Join Date: Apr 2013
Location: Ormond Beach
Posts: 1,407
|
Quote:
Originally Posted by Chuckanut
Certainly 2FA with a text message is still safer than no 2FA. But, having a time-based random number generator (either software or a device) is safer yet.
|
Yep, until you run into the cold truth that no one wants multiple dongles and/or software solutions to this problem. So 2FA will inherently have issues.
|
|
|
09-14-2017, 11:33 AM
|
#15
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jun 2008
Posts: 13,144
|
Quote:
Originally Posted by GTFan
Yep, until you run into the cold truth that no one wants multiple dongles and/or software solutions to this problem. So 2FA will inherently have issues.
|
My wish is that most places flock to use Google Authenticator (compatible) QR scans. The thought of multiple dongles to accomplish pretty much the same thing sounds a lot like the tiny keyring reward cards. Can get cumbersome pretty quickly.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
|
|
|
09-14-2017, 12:07 PM
|
#16
|
Confused about dryer sheets
Join Date: Sep 2017
Posts: 1
|
Is anyone aware of data regarding the frequency of major mutual fund companies like Vanguard being hacked and customers actually losing assets? Other than cases where legit passwords were stolen....Does this actually happen?
|
|
|
09-15-2017, 08:12 AM
|
#17
|
Recycles dryer sheets
Join Date: Oct 2006
Posts: 134
|
Yubikey at vanguard is somewhat useless because they simply default to their other security measures if the key is lost. I posed this scenario to them directly.
__________________
I'm sorry if I ask questions that are too nosy/personal.
|
|
|
09-15-2017, 07:46 PM
|
#18
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Dec 2008
Location: On a hill in the Pine Barrens
Posts: 9,720
|
Interesting wiki page, that has a matrix of threat coverage for authentication.
https://en.wikipedia.org/wiki/Compar...tion_solutions
|
|
|
09-15-2017, 08:03 PM
|
#19
|
Full time employment: Posting here.
Join Date: Mar 2008
Posts: 968
|
Bought the yubikey and want to secure by password manager LastPass along with Vanguard. But it seems I have to activate yet another verifier if I still want access to LP with my iPhone as an authorized device. Too darn complicated to wade through tonight.....
Just seems it should not be this confusing for the nontechnical!
|
|
|
09-16-2017, 11:23 AM
|
#20
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jun 2008
Posts: 13,144
|
Quote:
Originally Posted by bizlady
Bought the yubikey and want to secure by password manager LastPass along with Vanguard. But it seems I have to activate yet another verifier if I still want access to LP with my iPhone as an authorized device. Too darn complicated to wade through tonight.....
Just seems it should not be this confusing for the nontechnical!
|
Seems there's always a balance between ease of use vs security confusion.
You aren't alone. I sort of wasted my morning today trying to get more organized with my 2FA settings attempting to create a spreadsheet with columns of what I use (OTP App, SMS, email, backup codes, and so on). Finally I gave up and condensed the spreadsheet to my accounts and the primary method used for those accounts. Not perfect, but better than nothing.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
» Recent Threads
|
|
|
|
|
|
|
|
|
|
|
|
|
» Quick Links
|
|
|